Re: Cisco ASA 5550 NAT

soorajn2011 · ‎01-26-2020

Hi,

I have a site-to-site VPN with one of our vendor. Since they have similar n/w with our internal network, we are using NAT in ASA. Now the vendor is moving to Azure and using the same network (local). They are replicating their servers from on premise to azure. In that case we need to create another site-to-site VPN with azure. The challenge is to configure NAT with same vendor local network. Is that possible or is there any issue wile configure NAT with same vendor local subnets. The NATed IP will be different.

Regards

Sooraj

Muhammad Awais Khan · ‎01-26-2020

Hi,

You will be fine with the different Nat IP's of the subnets behind Azure cloud. You need to do NAT at both ends of tunnel to avoid conflict.

soorajn2011 · ‎01-26-2020

Thanks Muhammad.

Currently the NAT is configured in our side (ASA side).

Also when the vendor moving this to Azure and replicating the server from onpremise, I should configure the NAT in our side (ASA), not Azure side but with a different NAT subnet. Is there any way to do it in oour side with out NAT ing in Azure side.

The current NAT is attached here. In that NET-Unit4_LAN is the vendor subnet and NET-Unit4_LAN_NAT is the NATed subnet. When the vendor moving to Azure the NET-Unit4_LAN should be the same and NET-Unit4_LAN_NAT subnet will change a different subnet. Is that possible to create a NAT while setup new site-to-site VPN with Azure.

Regards

Sooraj

Muhammad Awais Khan · ‎01-26-2020

Hi,

One of the possibilities is to get one more interface for internet. Having one more interface , you can define NAT rule in similar way which you have defined already with differented Nated Address. By this, we can avoid any NAT on azure side however they have to use ipsec tunnel with your new interface IP.

Is It possible to have one more Internet interface?

soorajn2011 · ‎01-26-2020

Hi,

How to create another Internet interface in ASA via ASDM?

Attached is the current Internet interface config.

Is it configure as a sub interface?

Muhammad Awais Khan · ‎01-26-2020

Hi,

Problem is not creating an interface, we can utilize any unused port or check the possibility of sub interfsce. Problem with new ISp connectoon, can you get one more Internet connection from ISP with static IP?

Otherwise we have only choice left to configure ipsec tunnel with NAT on both sides.

soorajn2011 · ‎01-26-2020

Hi,

Is there any other option other that creating new internet interface and NAT on both sides.

Is there any option like configuring a new NAT in our side?

Thanks

Sooraj

Muhammad Awais Khan · ‎01-27-2020

Hi,

I don't think we can have additional option on ASA for this scenario. ASA will not allow you to create one more NAT with using same Source address, same source interface and different destination address.

How many IP's you are using for the appliance and services ? And how the migration will happen, is it going to be partial like some services will be migrated or it will be a single shot ?

If it is partial then we can do NAT for specific IP's instead of translating complete subnet which can achieve your objective.

Further, how the ASA is connected with ISP, is it connected to the Cisco Router ? If yes, then whether Router is doing NAT for public IP's or you assigned public IP directly to the ASA interface ?

soorajn2011 · ‎01-27-2020

Thanks for the mail.

They are migrating the services using Azure Site Recovery method. It might be a single shot migration and then replicating it. For some to confirm the azure services are working fine, both the on prem and azure services will be up.

The ASA is connected to ISP router (Juniper). But assigned the public IP directly to the ASA internet interface.

Regards

Sooraj

Muhammad Awais Khan · ‎01-27-2020

Hi,

That will be a challenge to keep both on-prem and cloud services to remain up at same time. Considering the situation, it seems best design will be to do a NAT on the cloud side in addition to your local ASA.

Maybe your vendor can do some help here.

soorajn2011 · ‎01-27-2020

Hi,

In simple I have two customers which I need to setup a site-to-site VPN with both customers having same local network and they can't do NAT from their end. I cannot force the customer to do NAT on their end. How to implement two NATs with same source interface and same source address in cisco ASA.

Regards

Sooraj

Francesco Molino · ‎01-29-2020

You can use the link I gave to ensure you'll nat the traffic when it comes in depending on the remote site but it has to arrive on a different outside interface. If both are terminating on the same outside interface, traffic will hit the same nat and it's not going to work.
It's kind of hard if you're not allowed to do anything on remote end.
What you can try, if you have everything on 1 outside interface, is to nat your internal subnet with a different one.
Example:
your site < -- > site 1
--> your real subnet: 1.1.1.0/24 , site 1 real subnet: 2.2.2.0/24
--> nat your subnet: 3.3.3.0/24 , site 1 natted: 4.4.4.0/24

your site < -- > site 2
--> your real subnet: 1.1.1.0/24 , site 1 real subnet: 2.2.2.0/24
--> nat your subnet: 5.5.5.0/24 , site 1 natted: 6.6.6.0/24

This means, you'll have 1:1 full nat of your subnet and remote end must access your devices using the natted ip. Is it something feasible?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎01-26-2020

Hi

Yes sure you'll be able to build a L2L tunnel and nat on both side due to overlapping network situation.
Here a link on how to do it with asa:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Now you need to validate if the vendor is deploying an asa or using the default azure vpn. You'll need to do this config on your side for sure.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

soorajn2011 · ‎01-26-2020

Hi Francesco,

Thanks for the reply.

Vendor is using the default azure VPN.

The current NAT is attached here. In that NET-Unit4_LAN is the vendor subnet and NET-Unit4_LAN_NAT is the NATed subnet. When the vendor moving to Azure the NET-Unit4_LAN should be the same and NET-Unit4_LAN_NAT subnet will change a different subnet. Is that possible to create a NAT while setup new site-to-site VPN with Azure (If the vendor is not doing NAT in their side)

Regards

Sooraj

Francesco Molino · ‎01-27-2020

I'm reading all posts exchanged during the day and I'm having hard time to clearly understand your challenges.

You want to have 1 or 2 VPNs with same subnets on both ends?
Can you please detail what is the goal and if you'll have 2 VPN at the same time?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question